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Abstract 

Due to the commonly known impossibility results, information theo- 
retic security is considered impossible for oblivious transfer (OT) in both 
the classical and the quantum world. In this paper, we proposed a weak 
version of the all-or-nothing OT. In our protocol the honest parties do not 
need long term quantum memory, entanglements, or sophisticated quan- 
tum computations. We observe some difference between the classical and 
quantum OT impossibilities. 
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1 Introduction 

Oblivious Transfer (OT) is an important two-party cryptographic protocol, as 
a building block for many general cryptographic primitives. In the first OT 
system introduced by Rabin |14j . a message is received with probability 1/2 
and the sender does not know whether the message reaches the receiver. This 
is later called the all-or-nothing OT or simply the Rabin OT. Even et al. [7 
defined the l-out-of-2 OT, where the sender has two secrets and the receiver can 
choose one and only one of them in an oblivious manner. That is, the sender 
cannot know the receiver's choice and the receiver cannot know anything more 
than one secret. The two types of OT are shown to be equivalent in the classical 
world [3J, in the sense that one form of OT can be used as a building block to 
construct the other. 

For both types of OT in the classical world, it is rather obvious that un- 
conditional, information theoretic security cannot be achieved for both sides at 
the same time. Therefore, computational assumptions such as the existence of 
trapdoor function is required. In the practical sense, the hardness of factoriza- 
tion and discrete logarithm are popular assumptions that are often required in 
many cryptographic protocols. Such assumptions are deeply threatened by the 
development of quantum computing, due to the Shor's algorithm |16j . 
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On the other hand, quantum techniques also provide new potential tools for 
the construction of cryptographic primitives. For example, the BB84 protocol [2] 
is proposed for key agreement with unconditional security, which is impossible 
in the classical world. Therefore, there is hope that quantum cryptography will 
develop faster than quantum cryptanalysis, and a new kind of cryptography will 
be ready to replace the old one before it turns out to be insecure. Moreover, 
it is interesting to note that the original idea of OT comes from the quantum 
realm, in the novel paper by Wiesner |17j . 

1.1 The background story of quantum OT 

Based on the BB84 key agreement, in 1994 Crepeau [Jj proposed a novel protocol 
for l-out-of-2 OT which resolves most problems known in previous schemes. The 
security of this scheme relies on the use of another important cryptographic 
primitive, the Bit Commitment (BC). Since then, in [12] and [18] it has been 
formally proved that [4] is secure with the use of quantum BC. The construction 
of OT from BC using quantum techniques is itself an achievement, since such a 
construction is not known in the classical world. 

Unfortunately, in 1997 a few major impossibility results were found con- 
cerning OT and BC. These include the work of Lo against the l-out-of-2 OT [9 
and the work of Mayers |TT] against BC. Lo and Chau [10] also independently 
argued that unconditionally secure quantum BC is impossible. This is a ma- 
jor setback and breakthrough in the research of quantum based OT, BC, and 
general cryptographic protocols. 

Since then, new protocols have been proposed, avoiding the known impos- 
sibility results in various ways. For example, quantum BC can be secure based 
on computational complexity assumptions [6 or physical assumptions about the 
technology used by the adversary |15j . 

On the other hand, currently there is no known impossibility results against 
the Rabin OT. It is unknown if the equivalence between Rabin OT and l-out- 
of-2 OT in the classical world applies to the quantum world. If this is the case, 
then quantum Rabin OT is also impossible. In this paper, to investigate the 
possibility of Rabin OT, we study a weakened form of Rabin OT. 

1.2 Our contribution 

In [4], the idea of the BB84 protocol is used to construct OT. The attack of 
delayed measurement is the major reason that BC is required. Without BC, 
there is no suitable time for sending the information about the basis of the 
qubits. In this paper, we propose a weak Rabin OT protocol based on the B92 
key agreement protocol pQ. Our observation is that, unlike the BB84 protocol, 
in the B92 scheme the sender never needs to send the information about the 
basis of the qubits. 

Despite the general impossibility, there are some known differences for OT in 
the classical and quantum world. In the classical world, OT is impossible even 
in the honest-but-curious model, where the parties must follow the protocol, 
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but could try to gain more information through private computations. In the 
quantum world, if the parties follow the protocol strictly, OT would be possible. 

In this paper, we show that our weak OT protocol has some properties that 
are not possible in the classical world. This is another difference between the 
classical and quantum OT impossibilities. It also suggests that an impossibility 
result for Rabin OT may not be easy to obtain, since a weak version of it is 
actually possible. 

2 The weak Rabin OT protocol 

2.1 Definition 

There may be several ways to weaken the security definition of Rabin OT. For 
the sake of our study, we give the following definition for the weak Rabin OT 
(WROT) protocol, between sender Alice and receiver Bob. 

1. The honest Alice inputs a random message bit x. 

2. The honest Bob receives x correctly from the honest Alice with probability 
p, a value specified in the protocol. Otherwise Bob receives zero informa- 
tion about x. Bob knows if he has received x. If he does not receive x, he 
outputs _L. 

3. For any run of the protocol, a cheating Alice has limited advantage v to 
guess or change the probability that Bob outputs _L. That is, in Alice's 
final view, if the probability that Bob outputs _L is p', then \p' — (1 — p)\ < 
\v\. Note that a cheating Alice needs not prepare any message bit. 

4. A cheating Bob always tries to increases the overall rate that he gets x, 
possibly through guessing. He needs not be certain about the correctness 
of the output, so he never outputs JL. For any cheating Bob, his advantage 
is limited to u. If the final rate that he gets x correctly is q, then q < 
p+ { -^+u. 

Under this definition, Alice can cheat either by trying to find out what hap- 
pens at Bob's side when he decodes the bit, or by really changing the probability 
that Bob gets _L. In the WROT, Alice can change the probability that Bob gets 
_L by v. Also, Bob can increase the rate he gets x to q > p + i^ 2 . This is why 
the protocol is called weak. 

2.2 The WROT construction 

At the beginning the two parties specify two non-orthogonal quantum states |V>o) 
and \ipi) of one qubit. They use |^>o) t° represent bit and \tpi) to represent 
1. According to x, Alice prepares \ipo) or l^i) to send to Bob, and Bob uses 
the Positive Operator- Valued Measure (POVM) method to distinguish the two 
states [13] unambiguously. Since only the angle a < § between vectors \ipo) 
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and j^i) affects Bob's ability to distinguish them, we set jV'o) = |0) and = 
a|0) + \/l — a 2 |l), with a = cos a. In this case the POVM elements are: 

1 + a 

E 2 = _^(vT^|Q)-o|l))(Vr^(0|- O <l|) 
1 + a 

i?3 = / — E\ — E2 (1) 



where the decode probability for Bob is p = 1 — a in the honest case. In other 
words, Bob gets _L with probability a. The measurement matrices (E\, E2, E3) 
represent the output symbols (1,0, _L) of Bob, respectively. The actual imple- 
mentation of the POVM is not important. The method in [T3] suggests that 
Bob only needs a unitary operation of two qubits followed by two measurements 
of one qubit. 



2.3 Security properties 

First, we argue that Alice cannot use entanglement for cheating. Notice that 
in our simple scheme, Alice sends a qubit to the honest Bob and he measures 
it with the POVM. If the qubit is entangled to some quantum states held by 
Alice, the cheating Alice should perform her measurement on such quantum 
states after Bob finishes his. But due to fundamental physical laws, Alice could 
never receive any information about whether Bob has performed a measurement. 
So there is no difference if Alice measures before Bob does. In that case, Alice 
would have created and collapsed the entanglement at the same time, before 
the qubit is sent out. This gives her no use of the entanglement. This argument 
is valid for any implementation of the POVM at Bob's side. 

Instead of using entanglement, Alice would better create a pure state qubit 
\ip) she wants to send to Bob. For this case, can be any one qubit state. 
In general \tp) would be \J\ — d\ — d\\Q) + (di + id2)\l) where d\,d2 are real 
numbers and d\ + d\ < 1. The probability of Bob getting _L is changed to 
(MEM- 

We can compute Alice's advantage v by the difference between this proba- 
bility and the value a, the rate of Bob getting _L in the honest case. A direct 
calculation gives 



2a(-adl - adl + d ly /(l - a 2 )(l -dj- ctj)) 
v = (ip\E 3 \ip) - a = ^— . (2) 

If Alice is cheating, she could either increase or decrease the chance that 
Bob gets JL. She can always make sure that Bob does not get _L at all, when 
(ip\Ea\ip) — 0. The lowest (negative) value of v is always —a. From $2$, the 

highest value of v, given a, occurs when d\ = J and c?2 = 0. In this 

case, v = a(i=f) < a. In the WROT, Alice can freely choose any v between 
the maximum and minimum. Since —a < v < a, Alice's advantage \v\ can 
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be controlled by the choice of a in the protocol. A smaller a provides better 
security against Alice. 

Next, we consider a cheating Bob, who would never output _L, but would 
rather try to guess x. He accepts some uncertainty, which is unavoidable since 
the two given states are non-orthogonal. To provide the lowest error rate guess- 
ing x, he chooses an optimized projection with orthogonal basis \4>o) and \4>i)- 
Optimization is achieved [8] when ^\ sin 2 9i is minimized, where 9i is the angle 
between \ipi) and \<j>i) for i € {0, 1}. This happens when 9q = Q\ = j — f . Call 
this angle 9, the error rate of Bob guessing x is sin 2 9. Therefore q = cos 2 9. 

Here, we observe a difference between classical and quantum world concern- 
ing the WROT. For the classical world, even in the honest-but-curious model 
of weaker attacks, Alice can compute exactly what Bob can, based on the com- 
munication between them. That is, Alice knows Bob's view about the random 
variable x. Therefore, either Alice can know for certain that Bob outputs _L, or 
Bob can find a way to compute x. In terms of the WROT, it is either v = p or 
q = l. 

In the quantum case based on our scheme, Alice never has complete infor- 
mation of Bob's view on x, as the result of the POVM is unpredictable. It can 
be seen that v can be much smaller than p = 1 — a, while q ^ 1 as there is no 
way to perfectly distinguish non-orthogonal quantum states. 

We can study the relation between a, the maximized v, and the maximized 
u. Figure Q] shows the graph of u and v against a. While a trade-off between u 
and v may be expected, in our scheme both u and v can be suppressed with a 
lower a. But this is not at all a good news because, in very vague terms, when 
a is too small, the usefulness of the Rabin OT is also low, as the uncertainty 
about whether Bob receives _L is small in Alice's point of view. Note that the 
graph only plots the maximum value of v, not the minimum. The minimum 
value is v — — a and it is significant when a is larger. Therefore it is reasonable 
to consider only small a. 

3 Relation with OT impossibility 

If the WROT is used to construct l-out-of-2 OT using standard techniques 
[3], a weak l-out-of-2 OT will be resulted, but the weakness parameters of the 
obtained scheme would be rather high. Therefore it does not meet the conditions 
for enhancement to normal OT [5]. In this way, our protocol neither violates 
the impossibility of l-out-of-2 OT nor suggests inequivalence of Rabin OT and 
l-out-of-2 OT. On the other hand, it is currently unknown if the normal Rabin 
OT is possible or not. But to seek any impossibility result one must avoid our 
constructive result of weak Rabin OT. 
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Figure 1: Relation of v and u with respect to a. 
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